REMARKS 



Applicant has carefully studied the outstanding Office Action in the 
present application. The present response is intended to be fully responsive to all points 
of rejection raised by the Examiner and is believed to place the application in condition 
for allowance. Favorable reconsideration and allowance of the application are 
respectfully requested. 

Applicants express their appreciation to Examiner Kenneth Tang for the 
courtesy of an interview, which was granted to Applicants' representative, Sanford T. 
Colb (Reg. No. 26,856). The interview was held in the USPTO on September 13, 2005. 
The substance of the interview is set forth in the Interview Summary. 

At the interview, the claims were discussed vis-a-vis the 35 USC 112 
rejections. The Interview Summary states, in relevant part, "It was agreed to cancel 
claims 22, 23, 24, 37 and 38 due to lack of support in the specification. It was agreed to 
clear up certain claim language such as the limiting period being the learning period, the 
elements are the sectors, changing 'daughter 5 to 'child', and being more specific about 
the 'information about said accesses in an enforcement file.' It was also agreed to clear 
up that the system is assumed to virus free during the monitoring and learning period, etc. 
It was also agreed to fix any lack of antecedent basis problems, such as 'the program' in 
claim 21, 'the damage,' 'said application,' 'said period,' 'the user,' etc, and in claim 35, 
'said second application.' It was also agreed to amend claim 42 to reflect something 
tangible, such as a 'computerized method' to overcome any 35 USC 101 rejection. It was 
finally agreed that the Applicant make these previously mentioned amendment in an 
official response, and to discuss further, if required." 

Applicant has accordingly amended the claims as discussed at the 

interview. 

Claims 19 and 21-44 stand rejected under 35 USC 1 12, first paragraph, as 
failing to comply with the written description requirement. 

Concerning the above rejection, the Examiner wrote "Learning only the 
normal behavior of the application is ... not described in the specification." The applicant 
has amended claims 19, 25-34 and 36-41 to recite permitted and forbidden activities. The 



applicant respectfully submits that the amendments to the claims are supported in the 
specification by page 6, second paragraph and by the embodiment of Fig. 2 and the 
description thereof. 

Claims 41-44 stand rejected under 35 USC 112, second paragraph, as 
being indefinite for failing to particularly point out and distinctly claim the subject matter 
which applicant regards as the invention. 

Applicant has amended claims 41-44 to overcome this rejection. 

Applicant has added new claims 45-48 to further define the data sectors 
being accessed. Support for claims 45-48 is found in the specification in Table 1 and on 
page 9, lines 13-14. 

Claims 19, 21-39 and 42-44 stand rejected under 35 USC 103(a) as being 
unpatentable over Shieh et al (US 5,278,901, hereinafter Shieh) in view of Crosbie et al. 

Shieh describes a pattern-oriented intrusion detection system and method. 
As stated by the Examiner in his rejection of claim 19, "Shieh fails to explicitly teach 
apparatus for learning about the normal behavior of said application to said data storage 
... by monitoring access . . . during a limited period." 

Crosbie describes a prototype architecture for an active defense 
mechanism for computer systems. 

Applicant submits that the object of Crosbie is an intruder. As the 
examiner has pointed out in section 8 of the pending Official Action, "Crosbie teaches an 
intruder detection system that recognizes the intruder, learns about the intrusions, and 
prevents (disallows) possibly intruders ..." In contrast to Crosbie, the present invention, 
as recited in claims 19 and 40, is directed to an application where the operation thereof is 
assumed to be legitimate, i.e. non-intruder, at least for a limited learning period during 
which its behavior is monitored to determine permitted access. In order to make the 
application program of the present invention malicious, an intruder, which is another 
program, has to infect the application program. As such, the application program as 
recited in claims 19 and 40, is certainly not an intruder and therefore the combination of 
Shieh and Crosbie would not result in the apparatus recited in claims 19 and 40. 

Additionally, Applicant respectfully submits that Crosbie does not show 
or suggest apparatus for learning about permitted access behavior of an application to 



data storage ... by monitoring access . . . during a limited learning period, as recited in 
amended claims 19 and 40. 

Applicant respectfully submits that the system described by Crosbie does 
not monitor access during a limited learning period to determine permitted behavior, 
rather Crosbie describes a system that has an initial set of allowed and disallowed 
activities and is trainable to distinguish between allowed and disallowed activities. 

Crosbie describes these qualities: 

It should be possible to specify what actions are to be allowed and 
disallowed initially. The detection system should also be trainable to 
recognise what actions are common on the system and adjust its 
detection mechanisms accordingly. ... As system profiles change over 
time, the detection system will change with them to allow the newer 
activities, and possibly disallow earlier actions. 

(page 2, paragraph bridging columns 1 & 2) 

As described above, Crosbie allows system profiles to change beyond the 
initial definition and also allows earlier allowed activities to become disallowed 
activities. Thus, Crosbie describes a system that does not show or suggest the apparatus 
and method of the present invention, which provides a limited learning period to 
determine which accesses are permitted and which are forbidden, after which time the 
definitions of permitted and forbidden do not change. 

Applicant further submits that Crosbie describes a system and method to 
prevent intruders from accessing data storage. The apparatus and method of the present 
invention is designed to allow an application access to permitted portions of data storage 
while denying access to forbidden portions of data storage. The present invention 
determines which areas are permitted and forbidden based on the accesses of the 
application itself during a limited learning time when the application is assumed to be 
operating in a permitted fashion. Crosbie does not show or suggest allowing an 
application to access a permitted part of data storage while forbidding access to another 
part of data storage. Additionally, Crosbie does not show or suggest using accesses of an 
application to determine permitted and forbidden access areas. 



i 



Applicant therefore submits that neither Shieh nor Crosbie show or 



suggest an apparatus for learning about permitted access behavior of an application to 
data storage ... by monitoring accesses of the application to sectors of the data storage 
during a limited learning period, as recited in amended claims 19 and 40. 



Applicant also submits that neither Shieh nor Crosbie show or suggest 



monitoring accesses of an application to sectors of data storage during a limited learning 
period ... thereby learning permitted access behavior of said application, as recited in 
amended claims 25 and 41 . 



In view of the above discussion, independent claims 19, 25 and 40-42 are 



deemed allowable. Claims 21 and 36 depend from claim 19 and recite additional 
patentable subject matter and are also deemed allowable. Claims 26 - 35 and 39 depend 
directly or ultimately from claim 25 and recite additional patentable subject matter and 
are also deemed allowable. Claims 43 and 44 depend from claim 42 and recite additional 
patentable subject matter and are also deemed allowable. 

Claims 22-24 and 37-38 have been cancelled without prejudice. 

Applicant reserves the right to pursue the claims as originally filed in the 
context of a continuation application. 

In view of the foregoing, all of the claims are deemed to be allowable. 
Favorable reconsideration and allowance of the application is respectfully requested. 
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